<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Cross cluster search and security | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'cross-cluster-configuring.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/cross-cluster-configuring.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/cross-cluster-configuring.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/cross-cluster-configuring.html" rel="nofollow" target="_blank">../en/cross-cluster-configuring.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="ccs-clients-integrations.html">Cross cluster search, clients, and integrations</a></span>
»
<span class="breadcrumb-node">Cross cluster search and security</span>
</div>
<div class="navheader">
<span class="prev">
<a href="ccs-clients-integrations.html">« Cross cluster search, clients, and integrations</a>
</span>
<span class="next">
<a href="java-clients.html">Java Client and security »</a>
</span>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="cross-cluster-configuring"></a>Cross cluster search and security<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/ccs-clients-integrations/cross-cluster.asciidoc">edit</a>
</h2>
</div></div></div>
<p><a href="modules-cross-cluster-search.html" class="ulink" target="_top">Cross cluster search</a> enables
federated search across multiple clusters. When using cross cluster search
with secured clusters, all clusters must have the Elasticsearch security features
enabled.</p>
<p>The local cluster (the cluster used to initiate cross cluster search) must be
allowed to connect to the remote clusters, which means that the CA used to
sign the SSL/TLS key of the local cluster must be trusted by the remote
clusters.</p>
<p>User authentication is performed on the local cluster and the user and user’s
roles are passed to the remote clusters. A remote cluster checks the user’s
roles against its local role definitions to determine which indices the user
is allowed to access.</p>
<div class="warning admon">
<div class="icon"></div>
<div class="admon_content">
<p>This feature was added as Beta in Elasticsearch <code class="literal">v5.3</code> with further improvements made in
5.4 and 5.5. It requires gateway eligible nodes to be on <code class="literal">v5.5</code> onwards.</p>
</div>
</div>
<p>To use cross cluster search with secured clusters:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Enable the Elasticsearch security features on every node in each connected cluster.
For more information about the <code class="literal">xpack.security.enabled</code> setting, see
<a href="security-settings.html" class="ulink" target="_top">Security Settings in Elasticsearch</a>.
</li>
<li class="listitem">
Enable encryption globally. To encrypt communications, you must enable
<a class="xref" href="ssl-tls.html" title="Setting up TLS on a cluster">enable SSL/TLS</a> on every node.
</li>
<li class="listitem">
<p>Enable a trust relationship between the cluster used for performing cross
cluster search (the local cluster) and all remote clusters.  This can be done
either by:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Using the same certificate authority to generate certificates for all
connected clusters, or
</li>
<li class="listitem">
Adding the CA certificate from the local cluster as a trusted CA in
each remote cluster (see <a href="security-settings.html#transport-tls-ssl-settings" class="ulink" target="_top">Transport TLS settings</a>).
</li>
</ul>
</div>
</li>
<li class="listitem">
On the local cluster, ensure that users are assigned to (at least) one role
that exists on the remote clusters.  On the remote clusters, use that role
to define which indices the user may access.  (See <a class="xref" href="authorization.html" title="User authorization"><em>User authorization</em></a>).
</li>
<li class="listitem">
<p>Configure the local cluster to connect to remote clusters as described
in <a href="modules-remote-clusters.html#configuring-remote-clusters" class="ulink" target="_top">Configuring Remote Clusters</a>.
For example, the following configuration adds two remote clusters
to the local cluster:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">PUT _cluster/settings
{
  "persistent": {
    "cluster": {
      "remote": {
        "cluster_one": {
          "seeds": [ "10.0.1.1:9300" ]
        },
        "cluster_two": {
          "seeds": [ "10.0.2.1:9300" ]
        }
      }
    }
  }
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1264.console"></div>
</li>
</ul>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="_example_configuration_of_cross_cluster_search"></a>Example Configuration of Cross Cluster Search<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/ccs-clients-integrations/cross-cluster.asciidoc">edit</a>
</h3>
</div></div></div>
<p>In the following example, we will configure the user <code class="literal">alice</code> to have permissions
to search any index starting with <code class="literal">logs-</code> in cluster <code class="literal">two</code> from cluster <code class="literal">one</code>.</p>
<p>First, enable cluster <code class="literal">one</code> to perform cross cluster search on remote cluster
<code class="literal">two</code> by running the following request as the superuser on cluster <code class="literal">one</code>:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">PUT _cluster/settings
{
  "persistent": {
    "cluster.remote.cluster_two.seeds": [ "10.0.2.1:9300" ]
  }
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1265.console"></div>
<p>Next, set up a role called <code class="literal">cluster_two_logs</code> on both cluster <code class="literal">one</code> and
cluster <code class="literal">two</code>.</p>
<p>On cluster <code class="literal">one</code>, this role does not need any special privileges:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST /_security/role/cluster_two_logs
{
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1266.console"></div>
<p>On cluster <code class="literal">two</code>, this role allows the user to query local indices called
<code class="literal">logs-</code> from a remote cluster:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST /_security/role/cluster_two_logs
{
  "cluster": [],
  "indices": [
    {
      "names": [
        "logs-*"
      ],
      "privileges": [
        "read",
        "read_cross_cluster"
      ]
    }
  ]
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1267.console"></div>
<p>Finally, create a user on cluster <code class="literal">one</code> and apply the <code class="literal">cluster_two_logs</code> role:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">POST /_security/user/alice
{
  "password" : "somepassword",
  "roles" : [ "cluster_two_logs" ],
  "full_name" : "Alice",
  "email" : "alice@example.com",
  "enabled": true
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1268.console"></div>
<p>With all of the above setup, the user <code class="literal">alice</code> is able to search indices in
cluster <code class="literal">two</code> as follows:</p>
<div class="pre_wrapper lang-console">
<pre class="programlisting prettyprint lang-console">GET two:logs-2017.04/_search <a id="CO494-1"></a><i class="conum" data-value="1"></i>
{
  "query": {
    "match_all": {}
  }
}</pre>
</div>
<div class="console_widget" data-snippet="snippets/1269.console"></div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="cross-cluster-kibana"></a>Cross-cluster search and Kibana<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/ccs-clients-integrations/cross-cluster-kibana.asciidoc">edit</a>
</h3>
</div></div></div>
<p>When Kibana is used to search across multiple clusters, a two-step authorization
process determines whether or not the user can access indices on a remote
cluster:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
First, the local cluster determines if the user is authorized to access remote
clusters. (The local cluster is the cluster Kibana is connected to.)
</li>
<li class="listitem">
If they are, the remote cluster then determines if the user has access
to the specified indices.
</li>
</ul>
</div>
<p>To grant Kibana users access to remote clusters, assign them a local role
with read privileges to indices on the remote clusters. You specify remote
cluster indices as <code class="literal">&lt;remote_cluster_name&gt;:&lt;index_name&gt;</code>.</p>
<p>To enable users to actually read the remote indices, you must create a matching
role on the remote clusters that grants the <code class="literal">read_cross_cluster</code> privilege
and access to the appropriate indices.</p>
<p>For example, if Kibana is connected to the cluster where you’re actively
indexing Logstash data (your <em>local cluster</em>) and you’re periodically
offloading older time-based indices to an archive cluster
(your <em>remote cluster</em>) and you want to enable Kibana users to search both
clusters:</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<p>On the local cluster, create a <code class="literal">logstash_reader</code> role that grants
<code class="literal">read</code> and <code class="literal">view_index_metadata</code> privileges on the local <code class="literal">logstash-*</code> indices.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>If you configure the local cluster as another remote in Elasticsearch, the
<code class="literal">logstash_reader</code> role on your local cluster also needs to grant the
<code class="literal">read_cross_cluster</code> privilege.</p>
</div>
</div>
</li>
<li class="listitem">
Assign your Kibana users a role that grants
<a href="https://www.elastic.co/guide/en/kibana/7.7/xpack-security-authorization.html" class="ulink" target="_top">access to Kibana</a>
as well as your <code class="literal">logstash_reader</code> role.
</li>
<li class="listitem">
On the remote cluster, create a <code class="literal">logstash_reader</code> role that grants the
<code class="literal">read_cross_cluster</code> privilege and <code class="literal">read</code> and <code class="literal">view_index_metadata</code> privileges
for the <code class="literal">logstash-*</code> indices.
</li>
</ol>
</div>
</div>

</div>
<div class="navfooter">
<span class="prev">
<a href="ccs-clients-integrations.html">« Cross cluster search, clients, and integrations</a>
</span>
<span class="next">
<a href="java-clients.html">Java Client and security »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>